FlashGenius Logo FlashGenius
Login Sign Up

GCFA Practice Questions: Identification of Normal System & User Activity Domain

Published: September 13, 2025 | 20 min read

Test your GCFA knowledge with 10 practice questions from the Identification of Normal System & User Activity domain. Includes detailed explanations and answers.

GCFA Practice Questions

Master the Identification of Normal System & User Activity Domain

Test your knowledge in the Identification of Normal System & User Activity domain with these 10 practice questions. Each question is designed to help you prepare for the GCFA certification exam with detailed explanations to reinforce your learning.

Question 1

Given the following Windows Event Log snippet, which activity is most consistent with normal user behavior? Event ID: 4624 Logon Type: 2 Account Name: jdoe Source Network Address: - Event ID: 4672 Special Privileges Assigned: SeSecurityPrivilege, SeBackupPrivilege

A) Remote desktop session initiated by jdoe

B) Interactive logon at the local machine by jdoe

C) Scheduled task execution under jdoe's account

D) Network logon from a remote machine by jdoe

Show Answer & Explanation

Correct Answer: B

Explanation: Logon Type 2 indicates an interactive logon at the local machine. The absence of a source network address supports this being a local logon. Option A would typically involve Logon Type 10, option C could involve different Event IDs, and option D would show a network address.

Question 2

You analyze a Prefetch file for an application executed on a system. What information can you prioritize to determine normal usage patterns?

A) Last execution time

B) Application size

C) Number of executions

D) File path of the application

Show Answer & Explanation

Correct Answer: C

Explanation: The 'Number of executions' indicates how often the application is run, which helps identify normal usage patterns.

Question 3

Review the following Registry key entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Value: Skype Data: C:\Program Files (x86)\Skype\Phone\Skype.exe What does this entry suggest about normal user activity?

A) Skype is set to run at startup.

B) Skype is installed in a non-standard location.

C) Skype was uninstalled recently.

D) Skype is scheduled for a future update.

Show Answer & Explanation

Correct Answer: A

Explanation: The Registry key entry under HKCU\...\Run indicates that Skype is configured to run automatically at user login, a common configuration for user applications. Options B, C, and D do not accurately describe the implication of this Registry entry.

Question 4

Analyze the following Prefetch file entry. Which activity does it most likely indicate? File Name: NOTEPAD.EXE Last Run Time: 2023-09-15 14:23:45 Run Count: 5

A) Notepad was installed on the system

B) Notepad was opened manually by a user

C) Notepad was executed by a scheduled task

D) Notepad was removed from the system

Show Answer & Explanation

Correct Answer: B

Explanation: The Prefetch file indicates that Notepad was executed, and the run count suggests it was opened multiple times, likely by a user. Installation or removal would not affect the Prefetch in this manner, and scheduled tasks are less common for Notepad.

Question 5

Interpret the following USN Journal entry: Reason: FILE_CREATE, File Name: report.docx. What does this suggest about the file?

A) report.docx was deleted

B) report.docx was modified

C) report.docx was created

D) report.docx was accessed

Show Answer & Explanation

Correct Answer: C

Explanation: The USN Journal entry with the reason 'FILE_CREATE' indicates that the file 'report.docx' was created.

Question 6

During a timeline analysis, you notice a series of 'UserAssist' entries in the Registry. What do these entries typically record?

A) Installed software updates.

B) User's recent application usage.

C) System boot times.

D) Connected USB devices.

Show Answer & Explanation

Correct Answer: B

Explanation: UserAssist entries in the Windows Registry record the user's recent application usage, helping analysts understand user activity. Options A, C, and D are incorrect as they describe different types of records.

Question 7

Evaluate the following MFT entry: File Name: notes.txt, Timestamps: Created: 2023-09-15, Modified: 2023-09-20, Accessed: 2023-09-21. What can you conclude about the file's usage?

A) notes.txt was deleted

B) notes.txt was modified after access

C) notes.txt was accessed after modification

D) notes.txt was never accessed

Show Answer & Explanation

Correct Answer: C

Explanation: The MFT entry shows that notes.txt was accessed on 2023-09-21, after its last modification on 2023-09-20, indicating it was accessed after being modified.

Question 8

Given this SRUM data entry, what does it most likely indicate? Application: chrome.exe User: alice Network Usage: 200MB Timestamp: 2023-09-30 18:45:00

A) Chrome was used for local file access

B) Chrome was used for significant internet activity

C) Chrome was updated automatically

D) Chrome was idle during this time

Show Answer & Explanation

Correct Answer: B

Explanation: The SRUM data indicates significant network usage by Chrome, suggesting internet activity. Local file access (A) and being idle (D) would not generate network usage, and updates (C) typically involve smaller data amounts.

Question 9

Given the following Windows Event Log entry, identify the normal user activity: Event ID: 4624 Logon Type: 2 Account Name: user1 What does this event indicate?

A) A batch job was executed.

B) A user logged on interactively.

C) A network logon occurred.

D) A service started under the user context.

Show Answer & Explanation

Correct Answer: B

Explanation: Event ID 4624 with Logon Type 2 indicates an interactive logon, which is a normal user activity when a user logs on directly to a system. Options A, C, and D correspond to different logon types or activities.

Question 10

An analyst is examining the USN Journal and notices frequent entries for a specific file. What does this suggest about the file's activity?

A) The file is rarely accessed.

B) The file is frequently modified or accessed.

C) The file is marked for deletion.

D) The file has been encrypted.

Show Answer & Explanation

Correct Answer: B

Explanation: Frequent entries in the USN Journal for a file suggest it is often modified or accessed. Options A, C, and D are incorrect as they do not align with the frequent entries observed.

Ready to Accelerate Your GCFA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GCFA domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GCFA Certification

The GCFA certification validates your expertise in identification of normal system & user activity and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Practice GCFA Exam Domains

Strengthen your GIAC Certified Forensic Analyst (GCFA) prep with domain-specific practice tests. Each set includes realistic multiple-choice questions with detailed explanations to sharpen your forensic analysis skills.

Start Practicing →

GCFA Cheat Sheet – Quick Forensic Reference

Prepare for the GIAC Certified Forensic Analyst (GCFA) exam with our concise cheat sheet. Covers memory forensics, Windows & NTFS artifacts, timeline analysis, and key incident response techniques in one quick reference guide.

Open GCFA Cheat Sheet →